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TITLE OF THE INVENTION 

IC Card 

ABSTRACT 
[Problems] 

To provide an IC card in which information about the 
key used for encrypting or decrypting cannot be estimated 
from the time at which the response to a command is 
transmitted . 

[Means for solving the problem] 

An IC card comprising a CPU and a memory which is 
accessible by the CPU, wherein the data is encrypted or 
decrypted using a key, in the form of information that has 
been stored in the memory, in response to an external 
command. The response to that result is transmitted beyond 
the card, and a delay process is applied, during or before 
and after encrypting or decrypting, to delay the time at 
which the response to a command is transmitted (S314 to 
S316) . This is done so that the relationship between the 
time .at which the response to a command is transmitted and 
information about the key will be removed. 

WHAT IS CLAIMED 
[Claim 1] 

An IC card comprising a CPU and a memory which is 
accessible by said CPU, wherein data is encrypted or 
decrypted, on receipt of an external command, by using a 
key in the form of information stored in said memory, and 
the resulting information is transmitted outside the chip 
as the .result, characterized in that: 

there is a delay unit to delay the time at which the 
response to a command is transmitted; and 

tlie relationship between the content of said key and 
the time at which the response to a command is transmitted 
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is removed by applying said delay unit during, or before 
and after, said encrypting or decrypting process. 

[Claim 2] 

An IC card, as described in Claim 1, characterized in 
that : 

the operation of said delay unit is essentially 
separate from said encrypting and decrypting processes, 
and the CPU makes it take a random period of time. 

[Claim 3] 

An IC card as described in Claim 1, characterized in 
that: 

it has a means for counting time which transmits an 
indication of the passage of a predetermined period; and 

said delay unit is to suspend the start or 
continuation of said encrypting or decrypting by said CPU 
until said indication is transmitted from said means for 
counting time. 

[Claim 4] 

An IC card, as described in any of Claims 1 to 3 , 
characterized in that: 

. said delay unit provides a fixed time for said 
encrypting or decrypting processes regardless of the bit 
configuration in said key. 

DETAILED DESCRIPTION OF THE INVENTION 

[00 01] 

[Scope of Utilization in Industry] 

This invention concerns an IC card which encrypts or 
decrypts data in response to an external command. 

[00 0.2] 
[Prior Art] 



- 3 - 



Recently, the focus has been on IC cards as a new 
information storage medium to replace magnetic cards. In 
particular, IC cards which incorporate CPUs are expected 
to find application in various fields in a highly 
information-oriented society because they can realize a 
high level of security since their information processing 
functions go beyond the function of being a medium for 
storing information. Generally speaking, an IC card 
incorporates a nonvolatile memory such as an EEPROM in 
which information is stored as files. An internal CPU 
accesses the EPROM on the basis of its interpretation and 
implementation of commands received from an external 
source. There are predetermined access conditions for 
each file. The CPU only accesses a file when its access 
conditions are satisfied by the arguments of the command. 
The IC card prevents illicit alteration or theft of data 
by third parties who do not have just title to the data. 

[0003] 

In addition, in an IC card system, data is encrypted 
when it is transferred between an IC card and a reader- 
writer. This prevents the content of a signal carrying 
information between the reader-writer and the IC card from 
being stolen, even when the signal is illicitly acquired 
by third parties. Figure 8 shows the transitions of 
information during transfer between external equipment 
such as reader-writers and an IC card. The external 
equipment produces cryptogram X by applying a 
predetermined encrypting to plain text A then transmits 
the cryptogram to the IC card. The IC card decrypts 
cryptogram X by decrypting which corresponds to the 
encrypting used by the external equipment. After the 
decrypting lias been completed, the IC card edits 
information as a response to indicate .the completion of 
this process then transmits this response "to the external 
equipment. The given sequence of processing is completed 
when the external equipment receives this response. 
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[0004] 

Plain text is usually encrypted by calculating the 
result of a formula with the plain text and a 
predetermined key as the variables. A typical example of 
a method for encrypting which is now proposed is the RSA 
cryptogram (refer to "A method for obtaining digital 
signatures and public-key cryptosys terns " by L.Rivest, 
A.Shamir, and L .M. Adleman, Communications of the ACM, Vol. 
21, No. 2: pp. 120 — 126, Feb. 1978). The RSA cryptogram 
is a so-called asymmetric key method of encryption, and 
this means that different key information is used for 
encrypting plain text and decrypting cryptograms. One of 
the two types of asymmetric key information is a secret 
key that is stored but kept secret from third parties and 
the other is used as a public key to be broadly made 
public to third parties. 

[0005] 

An RSA cryptogram is decrypted according to the 
formula "A = X y (mod N) " . Here, A is the plain text, X is 
the cryptogram, Y is the secret key, and N is the public 
key. An RSA cryptogram is decrypted by calculating this 
modular exponential. Consequently, the amount of 
calculation required is usually enormous. Therefore, a 
calculation algorithm is used to reduce the calculation 
involved in obtaining the modular exponential . One known 
example of an algorithm that reduces the amount of 
calculation involved in this exponential function is the 
binary calculation of exponential functions (refer to The 
Art of Computer Programming, Vol. 2, Seminumerical 
.Algorithms, by D.E,Knuth. Addison-Wesley , 2nd edition, 
1981).. 

[0006] 

In the calculation of an RSA cryptogram, this binary 
calculation of exponential functions is applied along -with 
an algorithm called the Montgomery method, which allows 
modular operations to Job carried out with relatively few 
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calculations (refer to "Modular Multiplication without 
Trial Division" by P.L.Montgomery, Mathematics of 
Computation, Vol. 44, No. 170, pp. 519 — 521, Apr. 1985). 
When the Montgomery method is applied, the modular 
calculations involved in calculating the modular 
exponential A = X Y (mod N) are carried out according to the 
algorithm shown in Figure 9 . 

[0007] 

Firstly, the four values of N, X, Y, and R are input 
(S902) . Here, X satisfies the relationship 0<X<N with 
respect to N. In addition, secret key Y is expressed in 
binary form as Y = e.e.^— e 2 e A . Here, ei is the value of the 
ith bit. R is defined as R = 2 3 , using the value of bit j 
of Y. Next, Montgomery moduli A* and B* are determined 
for the input values (S904) . The Montgomery modulus is 
defined with a one-to-one relationship with (a(modn)), as 
(a* = ar(modn)), using n as a divisor. Here, n is a k-bit 
integer, 2 k ' 1 <n<2 k , r = 2 k , and gcd(r, n) =1, where gcd is 
the greatest common divisor. 

[0008] 

The Montgomery product is then calculated for each bit 
of exponent Y (S906 to S912). That is, when exponent Y is 
composed of j bits, the calculation in the Montgomery 
product step, S910, takes place j times. Here, the 
Montgomery product is a product, defined as MonPro(a*, b*) 
= a*b*r _1 (mod n) . Figure 10 is a flowchart of the 
processing involved in finding the Montgomery product. 
Two Montgomery product operations, S1002 and S1006, are 
involved in determining the Montgomery product. The 
operation S1002 is carried out regardless of whether the 
given bit of exponent Y is 1 or 0.. On the other hand, the 
operation S1006 is only carried out 'for the respective 
bits of exponent Y that are 1 . When the calculations that 
make up the loop (59 06 to S912) have been completed for 
all hits of exponent Y, the Montgomery product of A* and 1 
(S9.14) is obtained. As a result, plain text A is acquired 
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by decrypting cryptogram X, and this completes the 
sequence of decrypting. 

[0009] 

[Problems to be Solved by the Invention] 

As described above, the conventional decrypting 
process on an IC card differs according to whether or not 
each binary digit, as exponent Y is input, is 1. That is, 
in the processing shown in Figure 10, calculation takes 
place on the two steps S1002 and S1006 when the 
corresponding bit is 1 and on the single step S1002 when 
the corresponding bit is 0. Accordingly, the time 
required for decrypting depends on the number of 1-valued 
bits in the exponent, and increases with the number of 1- 
valued bits. 

[0010] 

Third parties are able to record the time elapsed 
between the transmission of the command for the decrypting 
of a cryptogram to the IC card and the sending back of a 
response, use" this to find the time required for 
decrypting by the IC card, and then estimate the ratio of 
1-valued and 0-valued bits in the index (secret key) Y 
used in the calculation of the modular exponential. That 
is, there is a problem with conventional IC cards in that 
the time when a response is transmitted may be used to 
crack the secret key Y and this is a danger to the 
security of such JC cards. 

[0011] 

So, the subject of this invention is the provision of 
IC cards in that prevent the use of the time taken for the 
response to an external command to be transmitted to 
estimate inf ormation about the key which was used f or 
encrypting or decrypting. 



[ 0 012 J 



[Means for Solving the Problem] 

In order to solve the above problem, the invention 
related to Claim 1 is an IC card comprising a CPU and a 
memory which is accessible by said CPU, wherein data is 
encrypted or decrypted, on reception of an external 
command, by using a key in the form of information stored 
in said memory, and the resulting information is 
transmitted outside the chip as the result, and 
characterized in that : 

there is a delay unit to delay the time at which the 
response to a command is transmitted; and 

the relationship between the content of said key and 
the time at which the response to a command is transmitted 
is removed by applying said delay unit during, or before 
and after, said encrypting or decrypting process. 

[0013] 

The invention related to Claim 2 is an IC card, as 
described in Claim 1, characterized in that: 

the operation of said delay unit is essentially 
separate from said encrypting and decrypting processes, 
and the CPU makes it take a random period of time. Here, 
"the operation ... is essentially separate" means that 
normal encrypting or decrypting is possible, even if the 
unit does not operate, "take a random period of time" 
means, for example, that an operation which requires a 
fixed time for execution is executed a random number of 
times., or that an operation for which the execution time 
is randomly decided on each execution is executed once, 
twice, or more times. 

10014] 

The invention related to Claim 3 is an IC card, as 
described ±n Claim 1, characterized in -that: 

it has a means for counting time which indicates the 
passage of a predetermined period; and 
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said delay unit is to suspend the start or 
continuation of said encrypting or decrypting by said CPU 
until said indication is transmitted from said means for 
counting time. 

The invention related to Claim 4 is an IC card as 
described in any of Claims 1 to 3 , characterized in that: 

said delay unit provides a fixed time for said 
encrypting or decrypting processes regardless of the bit 
configuration in said key. 

[0015] 

[Embodiments of the invention] 

This invention is described in detail below, on the 
basis of embodiments, with reference to drawings. 

(First embodiment) 

The first embodiment of this invention is an IC card 
that can use the RSA, an asymmetric-key encrypting method, 
to encrypt plain text or decrypt a cryptograph. In this 
embodiment, encrypting or decrypting by the RSA is applied 
as a numerical algorithm in which the Montgomery method is 
used, as shown in Figure 9. Figure 1 is a drawing of the 
configuration of an IC card related to this embodiment. 
As shown in Figure 1, IC card 10 is equipped with ROM 12 
which is a read-only memory, RAM 14 which is a volatile 
memory, EEPROM 16 which is an electrically programmable 
nonvolatile memory, CPU 18 which has access to these 
memories, and timer module 20. Here, the timer module is 
a counting device, the operation of which is independent 
of that of CPU 18. It sends an interrupt to CPU 18 to 
indicate the passage of an assigned period of time. 

[00.16] 

IC caxd 10 is equipped with an I/O line fox the 
transfer of, for example, electric signals, and 
accompanied Isy a reader-writer (not shown), 'When an TC 
card is inserted in the reader-writer, a contact point is 
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connected with this I/O line, for the transfer of electric 
signals. Commands are issued to CPU 18 via said I/O line. 
A command is information sent to the IC card when the 
reader-writer requires a predetermined operation of the IC 
card. When a command is issued to CPU 18, a program 
stored in ROM 12 or EEPROM 16 is executed to process that 
command. 

[0017] 

Figure 2 shows the format of an RSA_CASL command, 
which is one of the commands used in this embodiment. The 
RAS_CALC command makes the IC card 10 decrypt a cryptogram 
and send back the plain text obtained thereby as a 
response. The first five bytes of the RSA_CALC command 
are respectively; CLA that indicates the class of a 
command, INS that indicates a classification, PI and P2 
that are the parameters of the command, and LC that 
indicates the length of subsequent DATA (as a number of 
bytes) . The DATA after the sixth byte is the cryptogram X 
to be decrypted. Furthermore, the single LE byte that 
follows DATA is the expected length of the response. The 
value of LE is set so that all encrypted or decrypted data 
is thus sent back with a maximum length of 256 bytes in 
this embodiment. 

[0018] 

Figure 3 is a flowchart that indicates the operation 
of IC card 10 when the RSA_CALC command is executed. When 
the RSA_CALC command is received, cryptogram x is acquired 
from the DATA part of RSA_CALC, public key N, secret key 
Y, and constant R are then read from the predetermined 
addresses of the EEPROM (S3 02) in which they are stored. 
Next, Montgomery moduli A* and B* are calculated from said 
acquired values (S3 04) - Furthermore, counter i is set to 
the number of digits (number of bits) j in binary-valued 
secret key T. (S3 06) , A judgement of whether counter i is 
greater thaxi 0 is then made (S3 08).. 
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[0019] 

When counter i is determined to be greater than 0 by- 
judgement step S308, bits for which the Montgomery product 
has not been calculated must remain among the bits that 
configure secret key Y. In this case, CPU 18 calculates 
the Montgomery product for the bit of the key which is 
currently indicated by counter i (S3 10) . S3 10 represents 
the same process as described in S910 in Figure 9. CPU 18 
specifies a predetermined time to timer module 20 and 
starts it up at the same time as the processing of S310 
starts. Here, the predetermined time is a time which is 
equal to or greater than that required to calculate the 
Montgomery product in S310 for a 1-valued bit. Timer 
module 2 0 thus counts for a predetermined time in parallel 
with the processing by CPU 18 of S310. 

[0020] 

CPU 18 waits for the interrupt from timer module 20 
after the processing of S310 has been completed (S314). 
After the interrupt is received, CPU 18 decrements counter 
i (S316) and then repeats the processes from S308 to S316-. 
On the other hand, counter i not satisfying "i>0" in S308 
means that the Montgomery product has been calculated for 
all bi.ts which configure secret key Y. In this case, CPU 
18 calculates the Montgomery product of A* and 1 as 
indicated in S318 to acquire plain text A. Furthermore, 
CPU 18 then edits this into a response into the form that 
is normally sent as a response to the RSA_CALC command, 
and transmits this to the reader-writer (S320) . 

[0021] 

As described above, the IC card of this embodiment 
counts a predetermined time by starting up the timer 
module at the same -time as the Montgomery product is being 
calculated in S310, and the next process i-s not executed 
even after "the Montgomery product has been calculated so 
as to decrypt the cryptogram. This procedure fixes the 
calculation time for decrypting, always becomes fixed and 



- 11 - 



makes it independent of the bit configuration of secret 
key Y. In this embodiment, the time taken between IC card 
10 receiving the RSA_CALC command and sending back its 
response thus becomes fixed and independent of the content 
of the secret key. Therefore, an IC card with an 
extremely high level of security can be provided, in which 
the bit configuration of the secret key cannot be 
estimated from the time at which the response to a command 
is transmitted. 

[0022] 

{ Second embodiment ) 

Next, the second embodiment of this invention is 
described. In the following description, the same symbol 
is used for those parts that function in the same manner 
as parts of the first embodiment, to avoid duplication of 
description. Figure 4 shows the configuration of IC card 
3 0 of this embodiment. IC card 3 0 differs from IC card 
10, the first embodiment, in that it does not have timer 
module 20, but has co-processor 32, and uses this co- 
processor 32 to calculate the Montgomery products. In the 
same way as IC card 10, IC card 3 0 also decrypts 
cryptogram X on receipt of an RSA_CAL command from the 
reader-writer, and, when it has finished, transmits a 
response to indicate that the command processing has been' 
completed. Decrypting is carried out on the basis of the 
RSA cryptogram, in the same way as in the first 
embodiment, and the calculation of the RSA cryptogram is 
according to the algorithm in which the Montgomery method 
is used. 

[0023] 

Figure 5 is a flowchart of the operation o± IC card 3 0 
when the RSA__ CALC command is executed- In Figure 5, S5 02 
to S508 have the same content as S3 02 to S3 08 in Figure 3, 
and there is no operational difference between IC card 3 0 
and IC card 1.0. When the condition i>0 is satisf ied by 
counter i In £508, CPU 18 hands over the values of A*, B* , 
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N, and R and the values of the respective bits of secret 
key Y to co-processor 32. Co-processor 32 calculates the 
Montgomery product terms such as A*, as shown in Figure 
10. Using the co-processor to calculate the Montgomery 
product allows faster decrypting by this embodiment. 

[0024] 

On the other hand, CPU 18 handles a loop calculation, 
which is independent of decrypting, a predetermined number 
of times while co-processor 32 calculates the Montgomery 
product (S512) . Here, the predetermined number of times 
means a number of times such that the time required for 
processing S512 by CPU 18 is equal to or greater than the 
maximum time required for processing of S510 by co- 
processor 32. After the loop calculation in S512 has been 
completed, CPU 18 decrements counter i by 1 and the 
processing of S508 to S514 is then repeated. The 
repetition of the processing of S508 to S514 continues 
until i>0 is no longer satisfied in S508, i.e., until 
processing by S510 has been applied to all of the bits 
which make up secret key Y. On the other hand, when i>0 
is not satisfied in S508, the same processing as in S318 
and S320 of Figure 3 is carried out (S516 and S518) , and 
the sequence of decrypting is complete. 

[0025] 

( Embodiment 3 ) 

The third embodiment of this invention is now 
described. Figure 6 shows the configuration of IC card 40 
in this embodiment. IC card 40 differs from IC card 10 of 
the first embodiment and IC card 3 0 of the second 
embodiment in that it has neither timer module 2 0 nor co- 
processor 32. 

10 02 6] 

Figuxe 7 is a flowchart that shows the operation of TC 

card 40 when an RSA__CALC command is executed. The 

operation of IC card 4 0 from £7 02 to S708 is the same as 
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the operation of IC card 10 from S302 to S308 shown in 
Figure 3. When counter i satisfies i>0, CPU 18 calculates 
the Montgomery product shown in Figure 10 (S710) . When 
the calculation of the Montgomery product is completed, 
CPU 18 generates a random number (S712) to carry out a 
predetermined loop calculation (S714) for the number of 
times corresponding to the acquired random number. The 
content of the predetermined loop calculation has no 
relation with decrypting, in the same way as the loop 
calculation in S512 of Figure 5. 

[0027] 

When loop calculation step S714 has been completed, 
CPU 18 decrements counter 18 by 1, then continues with 
processing from S708 to S716 until the Montgomery product 
has been calculated for all bits of secret key Y. In 
addition, when all processing from S708 to S714 has been 
completed, the same processing as in S318 and S320 is 
carried out (S718 and S720), and the sequence of 
decrypting is complete. 

[0028] 

As described above, the loop calculation takes place 
after the calculation of the Montgomery product in S710. 
Therefore, the time spent on the loop calculation delays 
the completion of decrypting and transmission of the 
response in S720. Furthermore, the number of times the 
loop calculation takes place is randomly defined by a 
random :number, so the length of the delay is undefined. 
Accordingly, in this embodiment, there is no relationship 
between the time at which the response is transmitted and 
the time required for calculation of the Montgomery 
products in S710, so it is impossible for third parties to 
gain knowledge about the bit configuration of secret key Y 
by obsex-ving the time when the response is transmitted. 

I002S] 

(Other embodiment) 
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This invention is not limited to the above 
embodiments. These embodiments are examples, and all 
embodiments which have configurations, operations, and 
effects that are effectively applications of the same 
technical ideas as described in the Claims of this 
invention can be included in the technical field of this 
invention. 

[0030] 

For example, in the above embodiments, the case in 
which a cryptogram is given to an IC card from some 
external unit for decrypting is described. However, this 
could also be a method handling the encrypting of plain 
text issued to the IC card from some external device. 
Furthermore, an IC card in which an RSA cryptogram is used 
is described in the above embodiment, but this is not 
intended to mean that the technical scope of this 
invention is limited in this way. The technical idea of 
this embodiment is an IC card which uses a key for 
encrypting or decrypting, which is generally applicable to 
cases in which the time required for the encrypting or 
decrypting of a cryptogram is dependent on the bit 
configuration of the key information. Furthermore, in the 
above embodiment, processing is carried out to delay, 
during or after the decrypting process, the time at which 
decrypting is completed and the time at which the response 
signal is transmitted. However, such a delaying process 
can be applied before the decrypting process . 

[0031] 

Advantages of the Invention 

As described in detail above, the time at which the 
response to a command is transmitted has .no relationship 
with .information about the key, so there is no possibility 
that such information about the key can be estimated by 
third pax-ties who can thus impair the security of an IC 
card. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[Figure 1] Drawing showing the configuration of IC card 10 
for the first embodiment of this invention. 
[Figure 2] Drawing showing the format of the RSA_CALC 
command . 

[Figure 3] Flowchart of the operation of IC card 10 when 
the RSA_CALC command is executed. 

[Figure 4] Drawing of the configuration of IC card 30 for 
the second embodiment of this invention. 

[Figure 5] Flowchart of the operation of IC card 30 when 
the RSA_CALC command is executed. 

[Figure 6] Drawing of the configuration of IC card 40 for 
the third embodiment of this invention. 

[Figure 7] Flowchart showing the operation of IC card 40 
when the RSA_CALC command is executed. 
[Figure 8] Drawing describing the manner in which 
information is transferred between external equipment such 
as a reader-writer and an IC card. 
[Figure 9] Drawing showing an algorithm for the 
calculation of the modular exponential executed by using 
the -Montgomery method. 

[Figure 10] Flowchart showing the content of the process 
for finding the Montgomery product. 

Descriptions of Symbols 

10: IC card 

12: ROM 

14-: RAM 

16: EEPROM 

18: CPU 

20: Timeir module 

32- Co-processor 
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4$!R!¥ 1 O - 6 9 2 2 2 



[#ff?Mi©©H] 

CPUt, 

ttfEC P UdST^ plfEfc;* * y £ £r{il*, 
I C#-h% 

[ft2)t>g2] BS*« l fcS2«fc© I C#— Kfc*5V-C, 
tWfaSJl^Ste, IitJtSCPU;iS|=f£&fcf$RS*r?-5, 

[ft*«3] R*guraEtfc©I C#-K^*5V^T, 

Miass^si^ iwbc p u«sitnEtw#sa»6>*nEa 

ftias $> s * •cMfBBt-i-'ft:«! ! ax« : a-§-fi2^ii<oH^x« 

K. 

[It«94] > »*J[l*»6>lll**3*-C©v^-j"tt*>i 

^gfcias© ic*- Ki^vx-cr, 

SdlSgM^Sli. SMEMlMlo^y b«J*lJU:fei*. W 
1W#fldfi^tttt-Ws*Mfc:»"t' S BtHSSr— jet 
r.iSr1#mii-S I C#— K. 

[3§W©f£iW*£lftW] 

[0 0 0 1] 

fc©-C$>5. 
[0 0 0 2] 

[S£3tS©&«] IC*— Kl*» Kfcft*>5*rL 

y-^-fSr^-etsrta^, ffi2flMfrfi2tt&© 

^©^i^tt^flJJB^^Sivcv^o -filcic 
K-cii, E E PR OMfc if©^ -=e y as KM 

a*lB1S£J-u3. EEPBOM^©7^-fe^ft. I C*— 

■fctt. ^«^©x^j*JMfc£ffi££*ircte?u CP 
u fi, =3-T zs K©3 ISb5?r ^-fejyfefrfWJB l-cv* s» 
-S-f-f&^T-f/i — T^-fe^-fS,, r*U::«fc 9 i c*- 

[0 0 0 3] ICSf-Kv'^^m IC* 



-Kt y-y • * &©R-?7 r — *©2&£flr*fr5» 
I C*-Ki:©IBoa««-«-SrJII=**WFElc*» 
05 El 8 14, ^« 

h i c#- K^o**oea«ra%+H-e*>«. 

14, ¥XAKJ^OBff^bttaSrfli*.TflH5-*X*r*# 
L> wJxSr I C*— h'izmm-tZc I Cj&— K"CI4, 

#14. v^#^flM8SrSfc«L"C— 51«>«ia«rl*Ti- 

15 [0 0 0 4] ¥3:©H#-J§-ftt4, a*» W-Xkffifenmffi 

ft*#)£fc©l::, ■eaix.JiR. L. Rivest, A. S 
h a m i r , and L. M. Adleman. "A 

20 method for obtaining digi 
tal signatures and public 
— key cryptosys terns" (Co mm u 
nications of the ACM, Vol. 
2 1, No. 2:pp. 120-126, Feb. , 1 

25 9 7 8) !c!ft&£;ft,TV^RSAHt-i§-a s fc5o RSARf 
-§•14, TXSrHHHtrSRfcttfflr HHW: 

#^«#*©«f s. mmtt 2 @@©si 

tit$fc©9*>, C*-KOEEPROM?l:SH 
30 L©«;(c*&*ft LT, f&#l4JSH# 

[0 0 0 5] R S ABt-S-Offl-^fbftHatt, s£ Ta = X t 

(mod n) j ^v^frSnSo -r-? A 
Xf4Rf#:S:, YI4§HSe, Ntt^BMTTffcS. ±ia^ 
35 fe9i5>*»*J:5K» RSAflHS-Ctt, ^^^SflsfeoH-^ 

40 ©fmt*t®WSIr»T^.=f y t LTtt, ^J^.« 
r-i#m©23lH-^fej *tjajfenxv»5 (D. £. Ka 
nth. The At t of Co mp u t e t P 
r o g a x a mm i n g, to 1 um e 2, S era i 
numerical A 1 g o r i t hxa s . Ad d i 

45 soa-¥ejJ ey, 2nd edition, 19 
8 1 . &M) . 

[0 0 0 6] RS Am-§-©tf3?lCH;, -© r^t^.©2il 

5 wiS-prtEi: LfcMo n t g ome r y&tV^fc^S 
50 W-fitT^rfJ>X-fc^?affiSjv5 (P- L. M ntgo 
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mery. " Modu.l a iMu 1 t i p 1 icati 
on without Trial Divisio 
n" , Mathematics of Computa 
tion, Vol, 44, No. 170, pp. 519 
-521, Apr. , 1985, #fig) » Mo n t g o 
meryfem 0 9 \ZJm1rT =* V lei *) , 

mm&nftn ia=x y (mod n) j zmn-rz. 

[0 0 0 7] £i*N, X, Y£.tfR©4o©ffitfSA;*l£ 
(S 9 0 2) „ rrt?fi, Xfcfc, NtC*fL0<X< 

9Y=ej e H • • • e 2 e, k$i1%.&h,Zb<a ft 
5. fci£U e, l*&i M<oScffiS:^*-r5 0 R 
It, Y©ifs> M&i Sr^v>TR=2J t^$H2>^:ffl 
Tfc^o 0Ctd, A2)3;ft-fc38:i!J: tIMo n t g ome r 
yPbfeA* , B* iS*feP>ttS (S 9 0 4) » Mont 
g ome r yfd&fcfct, n Srffii -rSPJjfe T a (mod 
n) J 51- T a * =a r (mod 

n) J kfemZtlZfc-ZhZo fcfcU nttk-b i 
t s ©g$r?fc *> , 2 k - 1 ^n<2 k , r = 2 k , gc 
d (r , n) = 1 , -efeS, 

[0 0 0 8] 2k»CjgSY©«-irs' M:oi>tMon t g 
ome ryactfllWfcJl'S (S 906~S91 

2) 0 o*»), ii^YdSj ify ha^fenujtsjxrvsai 

-g-|C|2, S 9 1 0 OM ontgomer y %M<r>Wr9t& j 
lelStf LTflff fr*5. Mo n t g om e r yffi 

tfi,' TMonPro (a*, b') = a'b*r 

(mod n) J t^aStuSSrCfcSo El 01*, 
M ontgomer y a©MSF*33££-^i-ift;ix[II-Cfc 
S 0 Mo n t g ome r ySStCfi, S 1 0 0 2X^8 1 
0 0 6 © 2 ^<7>fcWt8m&'£'£.tlX\,\ S 1 0 0 2 ©S5 
9Ue&tt* »»YO*lfs' HWV^T, .-tlxtfl.t»*>* 
^0-Cfc5*M^H*3e>-fjK^-f^Tto^5. — S 1 0 0 
6 ©S5g&3l*, *HRY*«j«i-* if y h o 5 t> l ■<?*> 
5 fc©K!OV*-C©3i*fT$it3. Ei9l-*5lt5Mo n t 
g ome r y®©Sffitt-g (S 9 0 6~S 9 1 2) 

A* t lCoV^TOMon t g ome r y^B^^T^^ 
5 (S 9 1 4) . WJtXSr«-^fh:L^3t 

[0 0 0 9] 

fcffKY-©#if? >4frC*f vc, 1 «fcoT*»5 t>© 
£ , l ■assfco-cv^v* 1>© i-^asrortsga^/i-oxv » 
S. JBl.0.CS3»SiBaifci8V*-C, KlS^y 
has 1 * 5> liS 1 0 0 2St5S 1 0 O 6«27f-}-/, 

tt, -<t*«>JWSB:i6»8l«>if9' hftfcfi(E»'U lO 




^HTI 0-6 9 2 2 2 



[0 0 10] r<Dfc«>lc, fSH^tt, IW- K£flH* 

*3Sfll**t4*-COB»IB J: 9 , IC*- KjPtt-g-fc&a 

Id^.gi Lfc^ra^**, ^blc^ftfc^fWitJ-i^S 

05 SI^tfg05JiS: (Stttt) YlCttltSl©?? b t 0© 

9, ?&3fc© I C>&— Kni, U:*3tf>JX©i£fflS£;5>lb© 
45&Y©t*35£a 5 8?g££*U, IC*-K©«a!)f-f^ 

10 [0 0 11] *£-e. *5l^<D^e«, ^B«»&«>3-7 

-fUMSIifflv^SHf^ort^SrJEao^^sr i:<7)/iVN I 

[0 0 12] 

is mm*M&rtziiL#>(o^m mEUM*mfct 

ff*«llCl^55l|gii, CPUi. ffllECPU^T 

20 ^-as^aHti-i i c#— Kfc*jv*T, «nefc»flMR<oas 

25 [0013] R«q[ 2 lcfi*53§KI4, l |c|E^© 

i c*— Kicasvvc, wiaa^aii, iwacpu** 
fK*4«»nn»Tf tinEi«#{k«yaxi4**fb«aai: 

rn9tfi()KISB6«4:teaj i:li, Zrcof&m&fitt 

AliSSr 1 iHlXtt 2 mei-hlltrr S r. t ^SrV n 5 . 
35 [0014] ff*353 lC#,55IMtt, M&g 1 CM© 

a**u itna®s^s«, iMacpu*«WEin»*s 

40 -5. ft*S4ic«5^Ktt, »*s.ii»f>lt*«3*-e 

45 [0 015] 

i^W©H2Si©?gSI] HBWMLT. 

50 <b» XttBt^-3t©ffi-^t;Sr?T5 r fc-*rHT«* I C*— K 
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Xtttt-S-ik^att. El9iC^LfcMo n t g ome r y 

jUfi«lfilc«5 I C* — KO«j*«:S-rHT*>S 0 Hi 
K*Six*J:5K, IC*-K10I4» WWttLWS* 

4. mmm&Ji-zjmttnzm.t^v ^eepro 
mi 6, rfufeoy^y icr^ir^-rscpu i 8, x 

^v?^-;utll, CPUl 8<DW)ftb\tSiL±[cW}ft 
L, »*Siufc«rM*saiat'5i:CPUl 

[0016] ifc, ic*~ Kiott, y— y-yj* 

VSrf^Tt^o I C*— KSry^-r- 9-f ^.KJfA-r- 
«SMt-&^>ag*sffto^5 0 CPUl 811 ±IE 

5o CPU18I1 3^VKSr#*S*t5t, ROM1 
2MEEPROM1 SKte^jftTCV^^n^A^ 

[0017] B2S, *HlfiJ»fflS-t?«« =*^>- K 
CO— otfcSRS A_C ALC^vy h 
Sr^i-0"efc^ o RSA.CALCa^hU IC^ 

XSrV-^aifV^i L"CiKfSS*5 3^>'K-t?*)4. RS 
A.CALC3^yK©*tl©5/q Ml, *iv»h,=» 
vyK^^7^?:/TtCLA, «9JSr*-*-I NS. =i*^ 
>K©/^7^^P1, P2, XW^<DATA(D 

ODATAlis ffi-^t^tV^^^Rf-g-XX-Cfe^o * 

[0 0 18] 03 H USA^CALCn^VKiUff 
-T^i^CD I C;fr— Kl 0©»^ia^«IHxBlTa>5 o 
R SA_CAL C^V K^Si^ilS *i\ R S 
A.CA1 CODAT.AJ:-9flf*XX*a#S*K * 

.«N* SHEiBY^ 3Hfi^R^Si*ffl£;h,3 (S 3 0 
2) . a#SjT,fc±EftttJ:.DMo3i t.g.om.e 

t y3H*A*3OTB*#JKa'Six5 (S 3 0 4) e S & 

* HS) j fcir* hStLS (S 3 0 6) „ ftl:, 
^— i*0J:9*TfcS**WWftii5 (S 3 0 8), 
10 0 19] S.3 0 8 i3&S0 



fc'Mo n t g ome r ya^ffflESr^ToTV^V^l^y b 
*»ft-*-«ri:'*s**Six«o ^^CCPUl 8 

05 Mo n t g ome r ya^ttSSrlfftS (S3 1 

0 ) e S 3 1 0 "CH 0 9 CO S 9 1 0 "CRM bfc<0 fc (1 
— Ote«j&SfTfaftS Q *fc, CPU18H S3 10<O 

^^a-;V2 0SrPft;!iit (S3 12) 0 ^Z--t*ffi&& 
10 Kid ljjsico-cv^str y MCOV^CS 3 1 OcOMo 
n t g ome r y m&Mft-fZ><D\C^-$'Z>$$m £3f 
^HXiirix§rS^S^WSrV^5 6 ~ttfcj:0, CPU 

1 s&s 3 1 o<D%m&m?f'fz><Db wit, 9<<-* 

15 [0 0 2 0] CPU18H, S 3 1 0 \Z&\fZ>tim&t& 
fe^^"C#^1~^ (S3 14) o fi9 5iWS*>5t, C 

p u i 8fi, i £ i tin*?? y^yht (s 

3 16), ^<omS 3 0 8^&S 3 1 6 4"C©«iaSrjft 
20 9iS-To — I&S 3 0 8M*5lvt\ *<^V#— i*S Ti> 
0j *VN5^fcJKfc3*v*»*fcH\ »««YSr«fifc 
~fZ>\?y hCO^TIuOV^TMo n t g ome r y^cofi* 

n&te£frtL^k&M#z£thZ>o :<og^l:cpui8 

d #Ci-S 3 1 8(C^-fA* i 1 [:oV^TOMo n t g 

25 ome r ya<DffJ|[S:||^TU ^XASrBc^-TSo * 5> 
CPUl 811, RSA_CALC37yK^EtC 

• 9-f *fc2£W-*-S (S3 2 0) . 
[0 0 2 1] £Ltf&93 Life* 5 Kl. *H«t»fflO I C# 
30 — FTI1 m-&X<DQL*3r{k)Qm&?f > S310O 

Montgomer y «*HfrrSifr&fcH:; 
>f =&^a— ywSrBfyffli-r fcfc J; 9 -3£<OB#re£ft 
SOU ^«FR|35 s aiai-S*-tfH *:i;iMont 

g ome r y&<Dft&&1&T\*X^Z>m&'Vi>iXb* 

0^RSA_CALC^> KSrSiiL"C^e> ls*tf> 
x Sr5g«i"-5 * -e<Of$H t>fBtttt«>l^«b <t fe-f — £ t 
40 ft*. J:oT, *JI»»ttTtt v^a»^iS2S«S*L 

[0 0 2 2] (12 §H36^3D 8tfc % «HCflB*2 

45" $mmm\z-z>i^wiw-fz> 0 «T«>K8Bfck5v^ 
*mffi&m<oi Ks o<o^sr^-rsT$>5o 1 

C^7— K3 0I4, ^-f-^— /V2 OSr^S-T. = 
50 ^n-t^i^ — 3 2 Sr^L. Montgomer ya^>tt 
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l lUS^S^O I C^;— K l 0 irS^oTV^So ^fc, I 

c#-K3oi4, i c*-ki o tmm^v—y • 

^i^RS A_CALC = ^^KSrizlfi$ix5r tici 
tJBf^XxSrffi^fcb, 3^^K*aadSj»T+*i:*© 

ai4, »i3WS»tti:WiaifcRSABjH5rKa6<5*fTto 
ft, RS ABt-^OW-atttM ontgomery SOT/l' 

=fy XAfciev^jstrSftSo 

[0 0 2 31 H5tt % RSA_CALCa-7yKS:*fr 

ntioic^-K30 otif^Sr^i-«Lftig^fo^ e 

@5t, S 5 0 2^?>S5 0 8 4m i3OS302 
**?>S 3 0 84-e<0rtSPi:H— C*>5. IC*-K3 0 
£ I c#— Kl Oi:<o|R|^i!if^«>ffian*vv S50 8 
fcfcivc**:'*— i** Ti>oj ©*ft*»fci-i:, 
CPUl 814, = 2{CA*, B* , Nfi. 

A'*Ottog|«btSH-fc3^B-feylJ— 3 2 ft, 0 
1 0fcl*bfcMo n t g o me r y fficDtf^^r^^fi- 
^o *S£JK»H8tt* 5CMo n t g ome r y8 

[0 0 2 4] — n^nir^i?-— 3 2^Mo n t g o 
me r y «Off^t£r?ToTV^ftgi-, CPUl 8 11, «■ 

(S 5 1 2) . r ^-CBFfSEftfcH:, CPU18^S5 
1 2©&afclfi-t-5B#|!(|j&V 3^n-fey*3 2tfS51 
0 (O^aKKi-S **<0«PRI t * b < Xt4-£ftW J: k * 
5fc»K+»4EI*SrVy5 0 S 5 1 2<D^-^ff-»^ 

ym *<D'&S 5 0 8£>e>S5 1 4<0«kaSr^t)7S 
i" 0 S 5 0 8**5>S 5 1 4*-C(0&a<0*93SbW:. S 
5 0 8[C*3V^ Ti>0j ©*ft*SJ«fcSft/i<ft5* 

TS 5 1 0<O^WfcftS**XHI^*ft5. — ^\ S 
5 0 8|:*V^T T i > 0J ©*W=dS«fcSft*< fcofc 
Wr&n. 03OS31 8. S32 0tPMli5HffS 
ft (S 5 1 6. S5L8), ^0&mcXm#*T£ 

ft$o 

[0025] (i3 mm&m sc^ x&mzii&Mt s 
mffiMm^^-cmwi-z* me t4, &mm&m<D i c 
K4 oco«^sr*-ria-efc^o i c#— K4 or4, 

■V*jSlCdi5^T»lSEIIBRtt©I C#— Kl 0. 

[002 6 ] ,B'7ii> R SA CAL C > :K«r. jttr 

C*— .F^0«»f^S:*-rtltftEa-eaE>5 o 
RSA__CALC^> KSrHfi^S®-^ I C#— K 

4 o oibfm. s 7 o 2 -a»€> s i o 8 st«e 3 b 

I C#— Kl OOKf^S 3 0 2^&S 7 0 8tT©ll 



f^tia— "T?$>£ 0 S 7 0 SK^T**^ — i # Ti 
>0J <D^#Sr^|fc-rt H CPUl 8 11, EllOtC^b 
f:Mo n t g ome r y a<OtWS:3lfr*-5 (S 7 1 
0) o Montgomer y SOW* a*»T-f<5 k , C 
05 PU1 8»a»Sr*4S* (S 7 1 2) , 3*»bfca» 

K#*r*ia*«rtWft©A^^ihi|[&ltm-* (S7 

14) 0 Bffeoyv — 14, HI 5 (OS 5 1 2(c*5(t 

^w-#iia«K, m-^itfnmk\^mmm^m<o 

10 [0 0 2 7] S 7 1 4<D/W— ^tt^SrJ^Tr*^, CP 
U 1 8 14* i Sr 1 lift*?* y 7t is Y b, <€r<£> 

g ome r y ^Oft^tTibftS *"CS 7 0 8*»feS 7 

1 6*-cotoasri««-t-«o sties 7 0 83a*e>s 7 1 
15 4*-e©*a!a*^Tj|>T-*"ai:, Ei3^s3 1 8, S3 

2 0 tPCAQra^H^r^ft (S 7 1 8, S720) , - 

[0 0 2 8] H±BBUJ:5t, *SOSJBtt"W4, S 
7 1 0tC:}5lt$Mo n t g ome r y8o!tf (OilC/W 

RXfS 7 2 0{z.te\izux7$>x<omm*$\z. sis—zrn 

*frr«0#tta*K:,fc 9«ff»Kft*Sft*fcftlc, 
*S-*-5#IH©*Sr4^flfce"e*>5. Lt*ot, *n 
25 i£^ft|-CI4, ^^#^iS2l(iSftS«Fi; % S710C 
*5l^T i fT;fc>ft5Mo ntogomer y %M<D%tW-$$ffl k 
<z>IHK:ttBBasfc<, *=*#v^#^^asfflrsfts* 

30 [0029] (^(Dmommmm) *»wi4, ± 

E«K»tt^|Rft3cft5t><OTH:ftv\ JilS||J£?gfi§ 
14, W*T*>5, *:%^co#fFlf*o®ia(cfS«$ftfc 
tt«»Sffli:*«»KBI-ft«/aft*b. n«*fpffl3» 

35 WWflSHK'&g'SftSo 

[0 0 30] ^J^L«, JiEiat»Jllfc*V^T(4, I C* 

Sr«fcttBSrbfc*5, rft(4, I C#— Klw*«Ba*&JF 

40 V> e -h!EHJS^S|-t?l4, RSA?f-S-4r<£ffli--5 I 

C*— Kfcov^TRB8bfe«. rfttt, *&m<D$Lffim 

*fx-3 1 c*— K-es>ox. *ow*fkXHa*ffcJffia 
^o^^xr4iitT^^^b&ao^T^Rt5w^ 

*V^«*©^^*3l3iS*SfcJf)(D«!.a*lTo-CV^ 
50 t5:itfcottJ:v^ 
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[0 0 3 1] 

[01] **w©ffiiBSjgffl"Cfca i c*— ki 

[02] RSA_CALC3^> ^7^^^ hSr^ 
[03] RSA_CALC3^yKSrHfft5t t<D I 

c^7— K i o oKj^s-^i-jfttbig-cfo^o 

[B4] **MO*2H3SS»ffi"Cfc5 I K3 0O 

[05] RSA_CALC^vyK| r ||fft7 ) i:^0 I 
[0 6] *»WO|R35IJ6»l«t?*>5 I K4 00 



[07] RS A_CALC37^ KSr*firi"«i#«> I 
C*— K4 OCDi(if^Sr^i-Mn0-CS>So 

[0 8] y-y • i c*-kk 

[09] Mo n t g ome r y jfefc J: * *3HA<Olt 
[01O]Montgomer y ©O^LSf^^^^^Sff 

ifr01?&>£o 

10 H9F*©ttBiI] 

10 IC^-K 

1 2 ROM 

1 4 RAM 

1 6 E E P ROM 
15 18 CPU 

2 0 ^/f-7-^^a-/U 

3 2 s^o-fey^— 



[01] 



[0 2] 



1 o 



1 2 

■ 1 



ROM 

2E 



20 
, 1 



i a 
-J— 



CLA 


1 NS 


P 1 


P2 


LC 


DATA 


-. LE 



[06] 



IB 4 J 




I/O 



4-0 



ROM 



77 



EE PROM 



i a 
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ftH¥ 1 O — 6 9 2 2 2 



[03] 



I® 5) 



c 



S 3 O 2 



START 



N. X. Y. R 



6 30 4 



S3 06 



A' B 1 R r 


nod 


N 


B' = XR r 


no d 


N 




S3 1 O 



S 3 1 2 



S 3 1 



S 3 1 6 





Hcntccaaryfl 









TIME R<*tftti L 



i = i — 1 



G 3 1 8 



S320 



A=HonPro (A», 1 ) 



I 

^ RETURN ^) 



C 



START 



8502 



S 5 O 4 



S 5 O 6 





N, 


X. Y, R 






A 


* = 


1 R mod 


N 


B 




XR mod 


N 


1 


1 - i 




651 O 



MontsaB*ryffa>IM|[ 



3 5 12 



S 5 1 4 



i = i - 1 



S 5 1 6 



S 5 1 8 



A=MonPro (A*, 1 ) 



RETURN ^ ) 
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[0 7] 



IM9] 



■ C 



S7 o a 



START 



N, X, Y. R 



D 



3704 



M A'=1R mo d N 
B' = XR mo d N 




S7 20 



^ RETURN J) 



C 



S902 



S904 



S 9 O e 



START 



N, X. Y, R 



A*=»1 R i 


no d 


N . 


B* = XR i 


no d 


N 
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ims] 



o. N 



SHI 



<x) 



*KtA 
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